(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATS' (PCT) 



(19) World Inieilectual Property Organization' 
IniemaiionaJ Bureau 

(43) International Publication Date 
17 July 2003(17.07.2003) 




PCT 



illllllllllllUlllliiiliilliiHI 

(10) International Publication Number 

wo 03/058412 A2 



(51) International Patent Classification^: 



G06F 1/00 



(21) International Application Number: PCTAiS02/41 177 

(22) International Filing Date: 

20 December 2002 (20. 1 2.2002 ) 



(25) Filing Language: 

(26) Publication Language: 



English 
English 



(30) Priority Data: 
10A)4I.07I 



28 December 200 1 (28. 1 22001 ) US 



(71) Applicant: INTEL CORPORATION (USAJSJ; 2200 
Mission College Boulevard. Sania Clara, CA 950S2 (US). 

(72) Inventors: CLEW, Andrew; 13131 NW Mountainview 
Road, Portland, OR 97231 (US). SUTTON, James, 
II; 20205 ^W Paulina Drive, Portland, OR 97229 
(US). SMITH, Lawrence, 11; 14995 NW Nonhombria, 
Beavenon, OR 97006 (US). GRAWROCK, David; 
8285 Soulhwcsi I84ih Avenue, Aloha, OR 97007 (US). 
NEIGER, Gilbert; 2424 N.E. 11 th Avenue, Portland, 
OR 97212 (US). KOZUCH, Michael; 3515 Chapel Hill 
Coun, Export, PA 15632 (US). 



(74) Agents: MALLIE, Miebad, J. et al.; Blakcly, SokololT, 
Taylor & Zafman, 12400. Wilshire Boulcvaid, 7lh Foor. 
Los Angeles, CA 90025 (US). 

(81 ) Designated States (nationaUi At AG, AL, AM, AT, AIJ. 
AZ, BA, BB, BG, BR. BY, BZ, CA, CH, CN, CO, CR. CU, 
CZ, DE, DK, DM. DZ, EC, EE, ES. H, GB. GD, GE. GH, 
GM, HR, HU, ID, IL, FN, IS, JP, KE, KG, KP, KR, KZ, LC, 
LK, LR, LS, LT, LU, LV, MA, MD, MG, MK, MN, MW. 
MX, MZ, NO, NZ. OM, PH, PL. FT, RO, RU, SC, SD, SE, 
SG, SK, SU TJ, TM, TN, TR, TT, TZ, UA, UG, UZ, VC, 
VN, YU, ZA, ZM. ZW. 

(84) Designated States (regional): ARIPO patent (GH, GM. 
KE, LS, MW, MZ, SD, SL, SZ, TZ, UG, ZM, ZW), 
Eurasian patent (AM, AZ, BY, KG, KZ, MD, RU. TJ, TM). 
European patent (AT, BE, BG, CH, CY, CZ, DE, DK, EE, 
ES, FI, FR, GB, GR, IE, IT, LU, MC, NL, PT, SE. SI, SK, 
TR), OAPI patent (BF, BJ. CF, CG, CI, CM, OA, ON, GQ. 
GW, ML. MR. NE. SN, TD, TG). 

Published: . 

— -without international search report and to be republished 
upon recent of that report 

For two-letter codes and other abbreviations, refer to the "Guid- 
ance Notes on Codes and Abbreviations" appearing at the begin- 
ning of each regular issue of the PCT Gazette. 



< 



00 

in 



Q (54) Title: AUTHENTICATED CODE METHOD AND APPARATUS 



(57) Abstract: Apparatus and method load, authenticate, and/or execute authenticated code modules stored in a private memory. 



BNSOOCII): <WO_CXX16e4ieA2.L> 



wo 03/058412 PCT/US02/41 177 

AUTHENTICATED CODE METHOD AND 
APPARATUS 

RELATED APPLICATIONS 

5 [0001] This application Is related to Application Serial Number 

/ , entitled "Processor Supporting Execution Of An Authenticated 

Code Instruction"; and Application Serial Number / , entitled 

'Authenticated Code Module" both filed on the same date as the present 
application. 

10 BACKGROUND 

[0002] Computing devices execute fimnware and/or software code to 
perform various operations. The code may be in the form of user applications, 
BIOS routines, operating system routines, etc. Some operating systems provide 
limited protections for maintaining the integrity of the computing device against 

15 rogue code. For example, an administrator may limit users or groups of users to 
executing certain pre-approved code. Further, an administrator may configure a 
sandbox or an isolated environment in which untrusted code may be executed 
until the administrator deems the code trustworthy. While the above techniques 
provide some protection, they generally require an administrator to manually 

20 mai^e a trust determination based upon the provider of the code, historic 
performance of the code, and/or review of the source code Itself. 
[0003] Other mechanisms have also been introduced to provide automated 
mechanisms for making a trust decision. For example, an entity (e.g. software 
manufacturer) may provide the code with a certificate such as a X.509 certificate 
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that digitally signs the code and attests to the integrity of the code. An 
administrator may configure an operating system to automatically allow users to 
execute code that provides a certificate from a trusted entity without the 
administrator specifically analyzing the code in question. While the above 
technique may be sufficient for some environments, the above technique 
inherently trusts the operating system or other software executing under the 
control of the operating system to correctly process the certificate. 
[0004] Certain operations, however, may not be able to trust the operating 
system to make such a determination. For example, the code to be executed 
may result in the computing device determining whether the operating system is 
to be tmsted. Relying on the operating system to authenticate such code would 
thwart the purpose of the code. Further, the code to be executed may comprise 
system initialization code that is executed prior to the operating system of the 
computing device. Such code therefore cannot be authenticated by the operating 
system. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0005] The invention described herein is illustrated by way of example and 
not by way of limitation in the accompanying figures. For simplicity and darily of 
illustration, elements illustrated in the figures are not necessarily drawn to scale. 
For example, the dimensions of some elements may be exaggerated relative to 
other elements for clarity. Further, where considered appropriate, reference 
numerals have been repeated among the figures to Indicate connespondlng or 
analogous elements. 
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[0006] FIGS. 1 A-1 E illustrate example embodiments of a computing device 
having private memory. 

[0007] FIG. 2 illustrates an example authenticated code (AC) module that 
may launched by the computing device shown in FIGS. 1A-1E. 
5 [0008] FIG. 3 illustrates an example embodiment of the processor of the 
computing device shown in FIGS. 1A-1E. 

[0009] FIG. 4 illustrates an example method of launching the AC module 
shown In FIG. 2, 

[0010] FIG. 5 illustrates an example method of terminating execution of the 
10 AC module shown in FIG. 2. 

[001 1] FIG. 6 illustrates another embodiment of the computing device 
shown In FIGS. 1A-1E. 

[0012] FIGS. 7A-7B illustrate example methods of launching and 
tenninating execution of the AC module shown in FIG. 2. 
15 [0013] FIG. 8 illustrates a system for simulating, emulating, and/or testing 
the processors of the computing devices shown in FIGS. 1 A-1 E. 

DETAILED DESCRIPTION 

[0014] The following descripSon describes techniques for launching and 
terminating execution of authenticated code (AC) modules that may be used for 
20 various operations such as establishing and/or maintaining a trusted computing 
environment In ttie following description, numerous specific details such as logic 
implementations, opcodes, means to specify operands, resource 
partitioning/sharing/duplication implementations, types and interrelationships of 
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system components, and logic partitioning/integration choices are set forth in 
order to provide a more thorough understanding of the present invention. It will 
be appreciated, however, by one skilled in the art that the invention may be 
practiced without such specific details, in other instances, control structures, gate 
5 level drcuits and full software instruction sequences have not been shown In 
detail in order not to obscure the invention. Those of ordinary skill in the art, with 
the included descriptions, will be able to implement appropriate functionality 
without undue experimentation. 

[0015] References in the specification to "one embodiment", "an 
10 embodimenf , "an example embodimenf , etc., indicate that the embodiment 
described may include a particular feature, structure, or characteristic, but every, 
embodiment may not necessarily include the particular feature, structure, or 
characteristic. Moreover, such phrases are not necessarily referring to the same 
embodiment. Further, when a particular feature, stmcture. or characteristic is 
1 5 described in connection with an embodiment, it is submitted that it is within the 
knowledge of one skilled In the art to effect such feature, structure, or 
characteristic in connection with other embodiments whether or not explldtly 
described. 

[0016] |n the following description and claims, the terms "coupled" and 
20 "connected," along with their derivatives, may be used. It should be understood 
that these terms are not intended as synonyms for each other. Rather, in 
particular embodiments, "connected" may be used to indicate that two or more 
elements are in direct physical or electrical contact with each other. "Coupled" 
may mean that two or more elemente are in direct physical or electrical contact 
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However, "coupled" may also mean that two or more elements are not in direct 
contact with each other, but yet stiil co-operate or interact with each other. 
[00171 Example embodiments of a computing device 100 are shown in FIG. 
1A-1E. The computing device 100 may comprise one or more processors 110 

5 coupled to a chipset 120 via a processor bus 130. The chipset 120 may comprise 
one or more integrated circuit packages or chips that couple the processdrs 110 
to system memory 140. a physical token 150. private memory 160. a media 
interface 170, and/or other I/O devices of the computing device 100. 
[0018] Each processor 1 10 may be implemented as a single integrated 

10 circuit, multiple integrated circuits, or hardware with software routines (e.g., binary 
translation routines). Further, the processors 1 10 may comprise cache memories 
112 and control registers 1 14 via which the cache memories 1 12 may be 
configured to operate in a normal cache mode or in a cache-as-RAM mode. In 
the nonral cache mode, the cache memories 112 satisfy memory requests in 

15 response to cache hits, replace cache lines in response to cache misses, and 
may invalidate or replace cache lines in response to snoop requests of the 
processor bus 130. In the cache-as-RAM mode, the cache memories 112 
operate as random access memory in which requests within the memory range of 
the cache memories 112 are satisfied by the cache memories and lines of the 

20 cache are not replaced or invalidated in response to snoop requests of the 
processor bus 130. 

[00191 The processors 110 may further comprise a key 116 such as, for 
example, a key of a symmetric cryptographic algorithm (e.g. the well known DES, 
3DES, and AES algorithms) or of an asymmetric cryptographic algorithm (e.g. the 

5 
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well-known RSA algorithm). The processor 110 may use the key 116 to authentic 
an AC module 190 prior to executing the AC module 190. 
[0020] The processors 110 may support one or more operating modes 
such as. for example, a real mode, a protected mode, a virtual real mode, and a 
5 virtual machine mode (VMX mode). Further, the processors 110 may support one 
or more privilege levels or rings in each of the supported operating modes. In 
general, the operating modes and privilege levels of a processor 110 define the 
Instructions available for execution and the effect of executing such Instructions. 
More specifically, a processor 110 may be permitted to execute certain privileged 
10 instructions only if the processor 1 10 is in an appropriate mode and/or privilege 
level. 

[0021] The processors 110 may also support locking of the processor bus 
130. As a result of locking the processor bus 130, a processor 110 obtains 
exclusive ownership of the processor bus 130. The other processors 110 and the 

15 chipset 120 may not obtain ownership of the processor bus 130 until the 

processor bus 130 is released. In an example embodiment, a processor 110 may 
issue a special transaction on the processor bus 130 that provides the other 
processors 110 and the chipset 120 with a LT.PROCESSOR.HOLD message. 
The LT.PROCESSOR.HOLD bus message prevents the other processors 110 

20 and the chipset 120 from acquiring ownership of tiie processor bus 130 until tiie 
processor 1 10 releases the processor bus 130 via a.LT.PROCESSOR.RELEASE 
t}us message. 

[0022] The processors 1 1 0 may however support altemative and/or 
additional methods of locking ttie processor bus 130. For example, a processor 

6 
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1 1 0 may inform the other processors 1 10 and/or the chipset 120 of the locl< 
condition by Issuing an Inter-Processor Interaipt, asserting a processor bus lock 
signal, asserting a processor bus request signal, and/or causing the other 
processors 1 10 to halt execution. Similarly, the processor 110 may release the 
5 processor bus 130 by Issuing an Inter-Processor Intenupt, deasserting a 
processor bus lock signal, deasserting a processor bus request signal, and/or 
causing the other processors 110 to resume execution. 
[0023] The processors 110 may further support launching AC modules 1 90 
and tenninating execution of AC modules 190. In an example embodiment, the 

10 processors 110 support execution of an ENTERAC instruction that loads, 

authenticates, and initiates execution of an AC module 190 from private memory 
160. However, the processors 1 1 0 may support additional or different instructions 
that cause the processors 110 to load, autiienticate, and/or initiate execution of 
an AC module 190. These other Instructions may be variants for launching AC 

1 5 modules 1 90 or may be concerned witti other operations tiiat launch AC modules 
190 to help accomplish a larger task. Unless denoted othenwise, tiie ENTERAC 
instruction and ttiese other instructions are referred to hereafter as launch AC 
instructions despite tiie fact that some of these instructions may load, 
authenticate, and launch an AC module 190 as a side effect of anotiier operation 

20 such as, for example, establishing a trusted computing environment 

[0024] In an example embodiment, ttie processors 1 1 0 furttier support 
execution of an EXITAC insbuction ttiat temiinates execution of an AC module 
190 and initiates post-AC code (See, FIG. 6). However, ttie processors 110 may 
support additional or different instixjctions ttiat result in tiie processors 110 
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terminating an AC module 190 and launching post-AC code. These other 
instojctlons may be variants of the EXITAC instoiction for tenninating AC 
modules 190 or may be instructions concemed primarily with other operations that 
result in AC modules 190 being terminated as part of a larger operation. Unless 
5 denoted otherwise, the EXITAC instruction and these other instructions are 
referred to hereafter as temilnate AC instructions despite the fact that some of 
these instructions may terminate AC modules 190 and launch post-AC code as a 
side effect of another operation such as, for example, tearing down a trusted 
computing environment 

1 0 [0025] The chipset 1 20 may comprise a memory controller 1 22 for 

controlling access to the memory 140. Further, the chipset 120 may comprise a 
key 124 that the processor 110 may use to authentic an AC module 190 prior to 
execution. Similar to the key 1 16 of the processor 11 0, the key 124 may 
comprise a key of a symmetric or asymmetric cryptographic algorithm. 

1 5 [0026] The chipset 1 20 may also comprise trusted platform registers 1 26 to 
control and provide status infomiation about trusted piatfonn features of the 
chipset 120. In an example embodiment, the chipset 120 maps the trusted 
platfoHD registers 126 to a private space 142 and/or a public space 144 of the 
memory 140 to enable the processors 110 to access the trusted platform registers 

20 126 in a consistent manner. 

[0027] For example, the chipset 120 may map a subset of the registers 126 
as read only locations in the public space 144 and may map the registers 126 as 
read/write locations in the private space 142. The chipset 120 may configure the 
private space 142 in a manner that enables only processors 1 10 in the most 



BNSDC3C)C: <WO_0305B412A2_I.> 



wo 03/058412 PCT/US02/41 177 

privileged mode to access its mapped registers 126 with privileged read and write 
transactions. ' Further, the chipset 120 may further configjure the public space 144 
in a manner that enables processors 1 10 in all privilege modes to access its 
mapped registers 126 with normal read and' write transactions. The chipset 120 
5 may also open the private space 142 in response to an OpenPrivate command 
being written to a command register 126. As a result of opening the private space 
142, the processors 110 may access the private space 142 in the same manner 
as the public space 144 with normal unprivileged read and write transactions. 
[0028] The physical token 150 of the computing device 100 comprises 

10 protected storage for recording integrity metrics and storing secrets such as, for 
example, encryption keys. The physical token 150 may perform various integrity 
functions in response to requests from the processors 110 and the chipset 120. 
In particular, the physical token 150 may store integrity metrics in a trusted 
manner, may quote integrity metrics in a trusted manner, may seal secrets such 

15 as encryption keys to a particular environment, and may only unseal secrets to 
the environment to which they were sealed. Hereinafter, the term "platfonm key" 
is used to refer to a key that is sealed to a particular hardware and/or software 
environment. The physical token 150 may l>e implemented in a number of 
different manners. However, in an example embodiment, the physical token 150 

20 is implemented to comply v^th the specification of the Trusted Platfomn Module 
(TPM) described in detail rn the Trusted Computing Platform Alliance (TCPA) 
Main Specification. Version 1.1, 31 July 2001. 

[0029] The private memory 160 may store an AC module 190 in a manner 
that allows the processor or processors 110 that are to execute the AC module 



8MSOOCIO: •tWO_030Se412A2.L> 



wo 03/058412 



PCT/US02/41177 



190 to access the AC module 190 and that prevents other processors 110 and 
components of the computing device 100 from altering the AC module 190 or 
interfering with the execution of the AC module 190. As shown in FIG. 1A. the 
private memory 160 may be implemented with the cache memory 1 12 of the 

5 processor 110 that Is e)«cuting the launch AC instruction. Alternatively, the 
private memory 160 may be implemented as a memory area internal to thfe 
processor 1 10 that is separate from its cache memory 1 12 as shown in FIG. 1 B. . 
The private memory 160 may also be implemented as a separate external 
memory coupled to the processors 1 10 via a separate dedicated bus as shown in 

10 FIG. 1C, thus enabling only the processors 110 having associated external 
memories to validly execute launch AC instructions. 
[0030] The private memory 160 may also be implemented via the system 
memory 140. In such an embodiment, the chipset 120 and/or processors 110 
may define certain regions of the memory 140 as private memory 160 (see FIG. 

15 1 D) that may be restricted to a specific processor 1 1 0 and that may only be 
accessed by the specific processor 110 when in a particular operating mode. 
One disadvantage of this implementation is that the processor 110 relies on the 
memory controller 122 of the chipset 120 to access the private memory 160 and 
the AC module 190. Accordingly, an AC module 190 may not be able to 

20 reconfigure the memory controller 1 22 without denying the processor 1 1 0 access 
to the AC module 190 and ttius causing the processor 110 to abort e}fficution of 
the AC module 190. 

[0031] The private memory 160 may also be Implemented as a separate 
memory coupled to a separate private memory controller 128 of the chipset 120 

10 
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as shown in FIG. 1E. In such an embodiment, the private memory controller 128 
may provide a sieparate interface to the private memory 160. As a result of a 
separate private memory controller 128, the processor 110 may be able to 
reconfigure the memory controller 122 for the system memory 140 in a manner 
5 that ensures that the processor 1 10 will be able to access the private memory 160 
and the AC module 190. In general, the separate private memory controller 128 
overcomes some disadvantages of the embodiment shown in FIG. 1D at the 
expense of an additional memory and memory controller. 
[0032] The AC module 190 may be provided in any of a variety of machine 

10 readable mediums 180. The media interface 170 provides an interface to a 
machine readable medium 180 and AC module 190. The machine readable 
medium 180 may comprise any medium that can store, at least temporarily, 
information for reading by the machine interface 170. This may include signal 
transmissions (via wire, optics, or air as the medium) and/or physical storage 

1 5 media such as various types of disk and memory storage devices. 

[0033] Refening now to FIG. 2, an exarnple embodiment of the AC module 
190 is shown in more detail. The AC module 190 may comprise code 210 and 
data 220. The code 210 comprises one or more code pages 212 and the data 
220 comprises one or more data pages 222. Each code page 212 and data page 

20 222 in an example embodiment corresponds to a 4 kilobyte contiguous memory 
region; however, the code 210 and data 220 may be implemented with different 
page sizes or In a non-paging manner. The code pages 212 comprise processor 
instructions to be executed by one or more processors 110 and the data pages 
222 comprise data to be accessed by one or more processors 1 10 and/or scratch 
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pad for storing data generated by one or more processors 1 10 in response to 
executing instructions of the code pages 212. 

[0034] The AC module 1 90 may further comprise one or more headers 230 
that may be part of the code 21 0 or the data 220. The headers 230 may provide 
5 information about the AC module 190 such as, for example, module author, 

copyright notice, module version, module execution point location, modulfe length, 
authentication method, etc. The AC module 190 may further comprise a 
signature 240 which may be a part of the code 210. data 220. and/or headers 
230. The signature 240 may provide infonnation about the AC module 190, 
10 authentication entity, authentication message, authentication method, and/or 
digest value. 

[0035] The AC module 190 may also comprise an end of module marker 
250. The end of module mariner 250 specifies the end of the AC module 190 and 
may be used as an alternative to specifying the length of the AC module 190. For 

15 example, the code pages 212 and data pages 222 may be specified in a 
contiguous manner and the end of module mariner 250 may comprise a 
predefined bit pattern that signals the end of the code pages 212 and data pages 
222. It should be appreciated tiiat the AC module 1 90 may specify Its length 
and/or end in a number of different manners. For example, the header 230 may 

20 specify the number of bytes or the number of pages the AC module 1 90 contains. 
Alternatively, launch AC and temriinate AC Instructions may expect the AC module 
190 be a predefined number of bytes In length or contain a predefined number of 
pages. Further, launch AC and terminate AC instructions may comprise 
operands that specify the length of the AC module 190. 

12 
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[0036] It should be appreciated that the AC module 1 90 may reside in a 
contiguous region of the memory 140 that is contiguous in the physical memory 
space or that is contiguous In virtual memory space. Whether physically or 
virtually contiguous, the locations of the memdry 140 that store the AC module 
5 1 90 may be specified by a starting location and a length and/or end of module 
marker 250 may specify. Alternatively, the AC module 1 90 may be stored in 
memory 140 in neither a physically or a virtually contiguous manner. For 
example, the AC module 190 may be stored in a data stmclure such as, for 
example, a linked list that pemiits the computing device 100 to store and retrieve 
1 0 the AC module 1 90 from the memory 140 in a non-contiguous manner. 

[0037] As will be discussed in more detail below, the example processors • 
1 1 0 support launch AC instructions that load the AC module 1 90 into private 
memory 160 and initiate execution of the AC module 190 from an execution point 
260. An AC module 190 to be launched by such a launch AC InstoicBon may 
15 comprise code 210 which when loaded into the private memory 160 places the 
execution point 260 at a location specified one or more operands of a launch AC 
instmcBon. Alternatively, a launch AC instruction may result in the processor 110 
obtaining the location of the execution point 260 from the AC module 190 Itself. 
For example, ttie code 210, data 220, a header 230, and/or signature 240 may 
20 comprise one or more fiekis that specify the location of the execution point 260. 
[OOSq As will be discussed in more detail below, the example processors 
1 10 support launch AC instructions that autiienticated the AC module 190 prior to 
execution. Accordingly, the AC module 190 may comprise information to support 
authentidty determinations by the processors 110. For example, tiie signature 
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240 may comprise a digest value 242. The digest value 242 may be generated 
by passing the AC module 190 through a hashing algorithm (e.g. SHA-1 or MD5) 
or some other algorithm. The signature 240 may also be encrypted to prevent 
alteration of the digest value 242 via an encryption algorithm (e.g. DES, 3DES, 

5 AES. and/or RSA algorithms). In example embodiment the signature 240 is 
RSA-^ncrypted with the private key that corresponds to a public key of the 
processor key 1 16, the chipset key 120, and/or platfomi key 152. 
[00391 It should be appreciated that the AC module 1 90 may be 
authenticated via other mechanisms. For example, the AC module 190 may 

1 0 utilize different hashing algorithms or different encryption algorithms. Further, the 
AC module 190 may comprise information in the code 210, data 220. headers 
230. and/or signature 240 that indicate which algorithms were used. The AC 
module 190 may also be protected by encrypting the whole AC module 190 for 
decryption via a symmetric or asymmetric key of the processor key 116, chipset 

15 key 1 24, or platform key 1 52. 

[0040] An example embodiment of the processor 1 1 0 is illustrated in more 
detail in FIG. 3. As depicted, the processor 1 1 0 may comprise a front end 302, a 
register file 306, one or more execution units 370, and a retirement unit or back 
end 380. The front end 302 comprises a processor bus interface 304, a fetching 

20 unit 330 having instruction and instaiction pointer registers 31 4. 31 6, a decoder 
340. an instruction queue 350, and one or more cache memories 360. The 
register file 306 comprises general purpose registers 312, status/control registers 
318, and other registers 320. The fetching unit 330 fetches ttie instructions 
specified by the instruction pointer registers 316 from the memory 140 via the 

14 
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processor bus interface 304 or the cache memories 360 and stores the fetched 
instnjctions in the instruction registers 314. 

[00411 An instmction register 314 may contain more than one instruction. 
Acoortling, the decoder 340 identifies the instniidions in the instmction registers 

5 31 4 and places the identified instructions in the instruction queue 350 in a iorm 
suitable for execution. For example, the decoder 340 may generate and store 
one or more micro-operations (uops) for each identified instmction in the 
instmction queue 350. Alternatively, the decoder 340 may generate and store a 
single macro-operation {Uop) for each identified instmction in tiie instmction 

1 0 queue 350. Unless indicated otiienwise the tenn ops is used hereafter to refer to 
both uops and Mops. 

[00A2] The processor 110 further comprises one or more execution units 
370 that perfomi the operations dictated by the ops of tiie insbxiction queue 350. 
For example, tiie execution units 370 may comprise hashing units, decryption 

1 5 units, andyor microcode units tiiat implement autiientication operations ttiat may 
be used to autiienticate ttie AC module 190. The execution units 370 may 
peifonn In-order execution of ttie ops stored in tiie Inshuction queue 350. 
However, in an example embodiment, tiie processor 110 supports out-of-order 
execution of ops by tiie execution units 370. In such an embodiment, tiie 

20 processor 1 1 0 may further comprise a retirement unit 380 tiiat removes ops from 
the instmction queue 350 in-order and commits ttie results of executing the ops to 
one or more registers 312, 314, 316. 318, 320 to insure proper in-order results. 
[0043] The decoder 340 may generate one or more ops for an Identified 
launch AC instmction and ttie execution units 370 may load, autiienticate, and/or 

15 
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initiate execution of an AC module 190 in response to executing the associated 
ops. Further, the decoder 340 may generate one or more ops for an identified 
terminate AC instruction and the execution units 370 may terminate execution of 
an AC module 190, adjust security aspects of the computing device 100, and/or 
5 initiate execution of post-AC code in response to executing the associated ops. 
[0044] In particular, the decoder 340 may generate one or more ops that 
depend on the launch AC instruction and the zero or more operands associated 
with the launch AC instruction. Each launch AC instruction and its associated 
operands specify parameters for launching the AC module 190. For example, the 

10 launch AC instruction and/or operands may specify parameters about the AC 
module 190 such as AC module location, AC module lengtii, and/or AC module 
execution point. The launch AC instruction and/or operands may also specify 
parameters about the private memory 160 such as, for example, private memory 
location, private memory lengtii, and/or private memory implementation. The 

15 launch AC instruction and/or operands may further spedfy parameters for 
authenticating the AC module 190 such as specifying which autiientication 
algorithms, hashing algorithms, decryption algorittims, and/or ottier aigoritiims are 
to be used. The launch AC instruction and/or operands may further specify 
parameters for the algorithms such as, for example, key lengtii. key location, 

20 and/or keys. The launch AC instiuction and/or operands may further specify 

parameters to configure the computer system 100 for AC module launch such as, 
for example, specifying events to be masked/unmasked and/or security 
capabilities to be updated. 
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[0045] The launch AC instructions and/or operands may provide fewer, 
additional, and/or different parameters than those described above. Furthenmore, 
the launch AC instructions may comprise zero or more explicit operands and/or 
implicit operands. For example, the launch AC instruction may have operand 
5 values implicitly specified by processor registers and/or memory locations despite 
the launch AC instruction itself not comprising fields that define the location of 
these operands. Furthermore, the launch AC instruction may explicitly specify the 
operands via various techniques such as, for example, immediate data, register 
identification, absolute addresses, and/or relative addresses, 

1 0 [0046] The decoder 340 may also generate one or more ops that depend 
on the terminate AC instructions and the zero or more operands associated with 
the terminate AC instructions. Each terminate-AC instruction and its associated 
operands specify parameters for terminating execution of the AC module 190. 
For example, the terminate AC instruction and/or operands may spediy 

15 parameters about the AC module 190 such as AC module location and/or AC 
module length. The terminate AC instnjction and/or operands may also specify 
parameters about the private memory 160 such as, for example, private memory 
location, private memory length, and/or private implementation. The terminate 
AC instruction and/or operands may specify parameters about launching post-AC 

20 code such as, for example, launching method and/or post-AC code execution 
point. The terminate AC instruction and/or operands may further specify 
parameters to configure the computer system 100 for post-AC code execution 
such as, for example, specifying events to be masked/unmaslced and/or security 
capabilities to be updated. 
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[0047] The terminate AC instructions and/or operands may provide fewer, 
addittonal. and/or different parameters than those descriljed at)ove. Furthermore, 
the tenninate AC instaictions may comprise zero or more explicit operands and/or 
implicit operands in a manner as described above in regard to the launch AC 
5 instaictions. 

[0048] Referring now to FIG. 4, there is depicted a method 400 of • 
launching an AC module 190. In particular, the method 400 illustrates the 
operations of a processor 1 10 In response to executing an example ENTERAC 
instruction having an authenticate operand, a module operand, and a length 
10 operand. However, one skilled in the art should be able implement other launch 
AC Instructions having fewer, additional, and/or different operands without undue 
experimentation. 

[0049] In block 404, the processor 1 1 0 detemiines whether the 
environment is appropriate to start execution of an AC module 190. For example. 

15 the processor 110 may verify that its current privilege level, operating mode, 
and/or addressing mode are appropriate. Further, if the processor supports 
multiple hardware threads, the processor may verify that all other threads have 
halted. The processor 1 1 0 may further verify that the chipset 120 meets certain 
requirements. In an example embodiment of the ENTERAC instmction. the 

20 processor 1 1 0 determines that the environment is appropriate in response to 
determining that the processor 110 Is In a protected flat mode of operation, that 
the processor's current privilege level is 0. that the processor 1 10 has halted all 
other threads of executton, and that the chipset 120 provides trusted platform 
capabilities as indicated by one or more registers 126. Other embodiments of 
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launch AC instructions may define appropriate environments differently. Other 
launch AC instructions and/or associated operands may specify environment 
requirements that result in the processor 110 verifying fewer, additional, and/or 

different parameters of its environment. 
5 [0050] In response to deterniming that the environment is inappropriate for 

launching an AC module 190, the processor 110 may tenninate the ENTERAC 

~ instruction with an appropriate error code (block 408). Alternatively, the processor 
110 may further trap to some more trusted software layer to penult emulation of 
the ENTERAC instaiction. 

10 10051] Othenwise, the processor 1 10 In block 414 may update event 

processing to support launching the AC module 190. In an example embodiment 
of the ENTERAC instaiction, the processor 110 masks processing of the INTR. 
NMI, SMI, INIT, and A20M events. Other launch AC instructions and/or 
associated operands may specify masking fewer, additional, and/or different 

15 evente. Further, other launch AC instructions and/or associated operands may 
explicitly specify the events to be masked and the evente to be unmasked. 
Alternatively, other embodimente may avoid masking events by causing the 
computing device 100 to execute trusted code such as, for example, event 
handlers of the AC module 190 in response to such events. 

20 [0052] The processor 110 in block 416 may lock the processor bus 130 to 
prevent the other processors 1 1 0 and the chipset 120 from acquiring ownership of 
the processor bus 130 during the launch and execution of the AC module 190. In 
an example embodiment of the ENTERAC instruction, the processor 110 obtains 
exclusive ownership of the processor bus 130 by generating a special transaction 
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that provides the other processors 1 10 and the chipset 120 with a 
LT. PROCESSOR. HOLD bus message. Other embodiments of launch AC 
instructions and/or associated operands may specify that the processor bus 130 
is to remain unlocked or may specify a different manner to locl< the processor bus 
5 130. 

[0053] The processor 110 in block 420 may configure Its private memory 
160 for receiving the AC module 190. The processor 110 may dear the contents 
of the private memory 160 and may configure control structures associated with 
the private memory 160 to enable the processor 110 to access the private 
10 memory 160. In an example embodiment of the ENTERAC instruction, the 

processor 110 updates one or more control registers to switch the cache memory 
1 12 to the cache-as-RAM mode and invalidates the contents of its cache memory 
112. 

[0054] Other launch AC instructions and/or associated operands may 
15 specify private memory parameters for different implementations of the private 
memory 160. (See, for example, FIGS. 1A-1E). Accordingly, the processor 110 
in executing these other launch AC instructions may perfomn different operations 
in order to prepare the private memory 160 for the AC module 190. For example, 
the processor 110 may enable/configure a memory controller (e.g. PM controller 
20 128 of FIG. IE) associated with the private memory 160. The processor 110 may 
also provide the private memory 160 with a dear, reset, and/or invalidate signal to 
dear the private memory 160. Altematively, the processor 110 may write zeros or 
some other bit pattem to the private memory 160, remove power from the private 
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memory 160, and/or utilize some otiier mechanism to clear the private memory 
160 as specified by the launch AC instruction and/or operands. 
[0055] In block 424, the processor 1 1 0 loads the AC module 1 90 into its 
private memory 160. In an example embodiment of the ENTERAC instmction, 

5 the processor 1 1 0 starts reading from a location of the memory 140 specified by 
the address operand until a number of bytes specified by the length operand are 
transferred to its cache memory 1 12. Other embodiments of launch AC 
instructions and/or associated operands may specify parameters for loading the 
AC module 190 into the private memory 160 in a different manner. For example, 

10 the other launch AC Instructions and/or assodated operands may specify the 
location of the AC module 190. the location of the private memory 160. where the 
AC module 190 is to be loaded in the private memory 160. and/or the end of the 
AC module 190 in numerous different manners. 

[0056] In block 428, the processor 1 1 0 may further lock the private memory 
15 160. In an example embodiment of the ENTERAC Instmction, the processor 110 
updates one or more control registers to lock its cache memory 1 12 to prevent 
extemal events such as snoop requests from processors or I/O devices from 
altering the stored lines of the AC module 190. However, other launch AC 
instructions and/or associated operands may specify other operations for the 
20 processor 110. For example, the processor 1 1 0 may configure a memory 

controller (e.g. PM controller 128 of FIG. IE) associated with the private memory 
160 to prevent the other processors 110 and/or chipset 120 from accessing the 
private memory 160. In some embodiments, the private memory 160 may 
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already be sufficiently locked, thus the processor 110 may take no action in block 
428. 

[0057] The processor in block 432 detemiines whether the AC module 1 90 
stored in its private memory 160 is authentic based upon a protection mechanism 
5 specified by the protection operand of the ENTERAC Instruction. In an example 
embodiment of the ENTERAC Instruction, the processor 110 retrieves a . 

processor key 1 16, chipset key 124, and/or platform key 152 specified by the 
protection operand. The processor 1 10 then RSA-decrypts the signature 240 of 
the AC module 1 90 using the retrieved key to obtain the digest value 242. The 

10 processor 1 10 further hashes the AC module 190 using a SHA-1 hash to obtain a 
computed.digest value. The processor 110 then determines that the AC module 
190 is authentic in response to the computed digest value and the digest value 
242 having an expected relationship (e.g. equal to one another). Othenwise, the 
processor 1 10 detenmines that the AC module 190 is not authenticate. 

1 5 [00581 Other launch AC instructions and/or associated operands may 
specify different authentication parameters. For example, the other launch AC 
Instructions and/or associated operands may specify a different authentication 
method, different decryption algorithms, and/or different hashing algorithms. The 
other launch AC instmctions and/or associated operands may further specify 

20 different key lengths, different key locations, and/or keys for authenticating the AC 
module 190. 

[0059] In response to determining that the AC module 1 90 is not authentic, 
the processor 1 1 0 in block 436 generates an error code and terminates execution 
of the launch AC Instruction. OtheoMse, the processor 1 10 in block 440 may 
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update security aspects of the computing device 100 to support execution of the 
AC module 1 90. ' In an example embodiment of the ENTERAC instmction. the 
processor 1 10 in blocl^ 440 writes a OpenPrivate command to a command 
register 126 of the chipset 120 to enable the processor 1 10 to access registers 
5 126 via the private space 142 with normal unprivileged read and write 
transactions. 

[0060] Other launch AC instnjctions and/or associated operands may 
specify other operations to configure the computing device 100 for AC module 
execution. For example, a launch AC instmction and/or associated operands 

10 may specify that the processor 110 leave the private space 142 in its cun-ent 
state. A launch AC instruction and/or associated operands may also specify that 
the processor 1 1 0 enable and/or disable access to certain computing resources 
such as protected memory regions, protected storage devices, protected 
partitions of storage devices, protected files of storage devices, etc. 

15 [00611 After updating security aspects of the computing device 100, the 
processor 1 10 in block 444 may initiate, execution of the AC module 190. In an 
example embodiment of the ENTERAC instruction, the processor 110 loads its 
instruction pointer register 316 with the physical address provided by the module 
operand resulting in the processor 110 jumping to and executing the AC module 

20 190 from the execution point 260 specified by the physical address. Other launch 
AC instructions and/or associated operands may specify the location of the 
execution point 260 in a number of altemative manners. For example, a launch 
AC instmction and/or associated operands may result in the processor 110 
obtaining the location of the execution point 260 from the AC module 190 itself. 
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[00623 Referring now to FIG. 5. there is depicted a method 500 of 
terminating an AC module 190. In particular, the method 500 illustrates the 
operations of a processor 1 10 in response to executing an example EXITAC 
instruction having a protection operand, an events operand, and a launch 
5 operand. Hov\/ever, one skilled in the art should be able to Implement other 
temiinate AC instmctions having fewer, additional, and/or different operands 
without undue experimentation. 

[0063] in block 504, the processor 110 may clear and/or reconfigure the 
private memory 160 to prevent further access to the AC module 190 stored in the 

10 private memory 160. In an example embodiment of the EXITAC instruction, the 
processor 110 invalidates its cache memory 112 and updates control registers to 
switch the cache memory 1 12 to the normal cache mode of operation. 
[0064] A temiinate AC instruction and/or associated operand may specify 
private memory parameters for different implementations of the private memory 

15 160. (See, for example. FIGS. 1A-1E). Accordingly, a terminate AC Instruction 
and/or associated operand may result in the processor 1 1 0 perfomning different 
operations in order to prepare the computing device 100 for post-AC code 
execution. For example, the processor 110 may disable a memory controller (e.g. 
PM controller 128 of FIG, 1 E) associated with the private memory 160 to prevent 

20 further access to the AC module 190. The processor 110 may also provide the 
private memory 160 with a clear, reset, and/or invalidate signal to clear the private 
memory 160. Alternatively, the processor 110 may write zeros or some other bit 
pattern to the private memory 160, remove power from the private memory 160, 
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and/or utilize some other mechanism to clear the private memory 160 as specified 
by a terminate AC instruction and/or associated operands: 
[0065] The processor 1 10 in blocl< 506 may update security aspects of the 
computing device 100 based upon the protection operand to support post-AC 
5 code execution. In an example embodiment of the EXITAC instruction, the 
protection operand specifies whether the processor 1 10 is to close the private 
space 142 or leave the privatejspace 142 In its cunent state. In response to 
determining to leave the private space 142 in its current state, the processor 110 
proceeds to block 510. OthenAdse, the processor 1 10 closes the private space 
10 142 by writing a ClosePrivate command to a command register 126 to prevent the 
processors 110 from further accessing the registers 126 via normal unprivileged 
read and write transactions to the private space 142. 

[0066] A terminate AC instruction and/or associated operands of another 
embodiment may result in the processor 110 updating other security aspects of 

15 the computing device 100 to support execution of code after the AC module 190. 
For example, a terminate AC instnjction and/or associated operands may specify 
that the processor 110 enable and/or disable access to certain computing 
resources such as protected memory regions, protected storage devices, 
protected partitions of storage devices, protected files of storage devices, etc. 

20 [0067] The processor 1 1 0 in block 51 0 may unlock the processor bus 1 30 
to enable other processors 110 and the chipset 120 to acquire ownership of the 
processor bus 130. In an example embodiment of the EXITAC instruction, the 
processor 110 releases exclusive ownership of the processor bus 130 by 
generating a special transaction that provides the other processors 110 and the 
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Chipset 120 with a LT.PROCESSOR.RELEASE bus message. Other 
embodiments of temiinate AC instructions and/or associated operands may 
specify that the processor bus 130 is to remain lodged or may specify a different 
manner to unlocl< the processor bus 1 30. 

5 [0068] The processor 1 1 0 in bloc* 514 may update events processing 
based upon the mask operand. In example embodiment of the EXITAC ' 
Instruction, the mask operand specifies whether the processor 110 is to enable 
events processing or leave events processing in Its cun^ent state. In response to 
detemiining to leave events processing in its cun-ent state, the processor 110 

10 proceeds to block 516. Othenwise. the processor 110 unmasks the INTR, NMI, 
SMI, INIT, and A20M events to enable processing of such events. Other 
temilnate AC instmctions and/or associated operands may specify unmasking 
fewer, additional, and/or different events. Further, other temilnate AC instructions 
and/or associated operands may explicitly specify the events to be masked and 

1 5 the events to be unmasked . 

[0069] The processor 1 1 0 in block 516 temiinates execution of the AC 
module 190 and launches post-AC code specified by the launch operand. In an 
example embodiment of the EXITAC instruction, the processor 1 10 updates its 
code segment register and instruction pointer register with a code segment and 

20 segment offeet specified by the launch operand. As a result, the processor 110 
jumps to and begins executing from an execution point of the post-AC code 
specified by the code segment and segment ofteet 
p)070] Other tenninate AC modules and/or associated operands may 
specify the execution point of the post-^C code in a number of different manners. 
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For example, a launch AC Instruction may result in the processor 110 saving the 
cun-ent insfruction pointer to identify the execution point of post-AC code. In such 
an embodiment, the tenninate AC instruction may retrieve the execution point 
saved by the launch AC instruction and initiate! execution of the post-AC code 
5 from the retrieved execution point In this manner, the tenninate AC instruction 
returns execution to the instruction following the launch AC instruction. Further, in 
such an embodiment, the AC module 190 appears to have been called, like a 
function call or system call, by the invoking code. 

[0071] Another embodiment of the computing device 100 Is shown In FIG. 

10 6. The computing device 100 comprises processors 1 10, a memory interface 620 
that provides the processors 110 access to a memory space 640, and a media 
interface 170 that provides the processors 110 access to media 180. The 
memory space 640 comprises an address space that may span multiple machine 
readable media from which the processor 110 may execute code such as, for 

15 example, firmware, system memory 140, private memory 160, hard disk storage, 
networic storage, etc (See, FIGS. 1 A-1E). The memory space640 comprises pre- 
AC code 642, an AC module 190, and post-AC code 646. The pre-AC code 642 
may comprise operating system code, system library code, shared library code, 
application code, firmware routines, BIOS routines, and/or other routines that may 

20 launch execution of an AC module 190. The post-AC code 646 may simllariy 
comprise operating system code, system library code, shared library code, 
application code, firmware routines, BIOS routines, and/or other routines that may 
be executed after the AC module 190. It shoukl be appreciated that the pre-AC 

27 



BNSOOaO <WQ_03068412A2_t> 



wo 03/«»5«412 PCTAJS02/41 1 77 

code 642 and the post-AC code 646 may be the same software and/or fimiware 
module or different software and/or firmware modules. 
[0072] An example embodiment of launching and tenninating an AC 
module is illustrated in FIG. 7A. In block 704. the computing device 100 stores 

5 the AC module 1 90 into the memory space 640 in response to executing the pre- 
. AC code 642. In an example embodiment, the computing device 100 retrieves 
the AC module 190 from a machine readable medium 180 via the media interface 
170 and stores the AC module 190 in the memory space 640. For example, the 
computing device 100 may retrieve the AC module 190 from firmware, a hard 

1 0 drive, system memory, networi< storage, a file sen/er, a web server, etc and may 
store the retrieved AC module 190 into a system memory 140 of the computing 
device 100. 

[0073] The computing device 100 in block 708 loads, authenticates, and 
Initiates execution of the AC module 190 in response to executing the pre-AC 

1 5 code 642. For example, the pre-AC code 642 may comprise an ENTERAC 
instmcBon or another launch AC instruction that results in the computing device 
100 transfemng tiie AC module 190 to private memory 160 of the memory space 
640, authenticating the AC module 190, and invoking execution of tiie AC module 
190 from its execution point. Alternatively, the pre-AC code 642 may comprise a 

20 series of instructions that result in ttie computing device 100 transferring tne AC 
module 190 to private memory 160 of the memory space 640, authenticatirig tiie 
AC module 1 90. and invoking execution of the AC module 1 90 from its execution 
point 
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[00741 In. block 71 2. the computing device 1 00 executes the code 210 of 
the AC module 1 90 (See, FIG. 2). The computing device 1-00 in block 716 
terminates execution of the AC module 190 and initiates execution of the post-AC 
code 646 of the memory space 640. For example, the AC module 190 may 
5 comprise an EXITAC Instmction or another terminate AC instruction that results in 
the computing device 100 temiinating execution of the AC module 190. updating 

security aspects of the computing device 100, and initiating execution of the post- 

AC code 646 from an execution point of the post-AC code 646. Alternatively, the 
AC module 190 may comprise a series of Instructions that result in the computing 
1 0 device 1 00 terminating execution of the AC module 1 90 and initiating execution of 
the post-AC code 646 firom an execution point of the post-AC code 646. 
[0075] Another example embodiment of launching and temilnating an AC 
module is illustrated in FIG. 7B. In block 740, the computing device 100 stores 
the AC module 190 Into the memory space 640 in response to executing the pre- 
15 AC code 642. In an example embodiment, the computing device 100 retrieves 

the AC module 3?0frpm a machine readable medium 180 via the media interface 

1 70 and stores the AC module 190 in the memory space 640. For example, the 
computing device 100 may retrieve the AC module 190 from flmiware, a hard 
drive, system memory, networic storage, a file server, a web server, etc and stores 
20 the retrieved AC module 190 into a system memory 140 of the computing device 
100. 

[0076] The computing device 1 00 in block 744 loads, authenticates, and 
initiates execution of the AC module 190 response to executing the pre-AC code 
642. The computing device in block 744 further saves an execution point for the 
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post-AC code 646 that is based upon the instruction pointer. For example, the 
pre-AC code 642 may comprise an ENTERAC instmction or another launch AC 
instruction that results in the computing device 100 transferring the AC module 
190 to private memory 160 of the memory space 640. authenticating the AC 

5 module 190. invoking execution of the AC module 190 from its execution point 
and saving the instruction pointer so that the processor 1 10 may return to the 
instruction following the launch AC instruction after executing the AC module 190. 
Alternatively, the pre-AC code 642 may comprise a series of instructions that 
result in the computing device 100 transferring the AC module 190 to private 

10 memory 160 of the memory space 640. authenticating the AC module 190. 

invoking executton of the AC module 190 from its execution point, and saving the 
instruction pointer. - 

[00771 In block 748. the computing device 100 executes the code 210 of 
the AC module 190 (See. FIG. 2). The computing device 100 in block 752 
15 terminates execution of the AC module 190, loads the instruction pointer based 
execution point saved in block 744. and initiates execution of the instmction 
following the launch AC instmction or the series of instmctions executed in block 
744. For example, the AC module 190 may comprise an EXITAC instruction or 
another terminate AC instmction that results in the computing device 100 
20 temiinating execution of the AC module 190, updating security aspects of the 
computing device 100. and initiating execution of the post-AC code 646 from an 
execution point of the post-AC code 646 specified by ttie Instmction pointer saved 
in block 744. Alternatively, the AC module 190 may comprise a series of 
Instmctions tiiat result In tiie computing device 100 temr.inating execution of the 
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AC module 190. updating security aspects of the computing device 100, and 
initiating execution of the post-AC code 646 from an execution point of the post- 
AC code 646 specified by the instruction pointer saved in block 744, 
[0078] FIG. 8 illustrates various design representations or formats for 
5 simulation, emulation, and ^brication of a design using the disclosed techniques. 
Data representing a design may represent the design in a number of manners. 
First, as is useful in simulations, the hardware may be represented using a 
hardware description language or another functional description language which 
essentially provides a computerized model of how the designed hardware Is 

10 expected to perform. The hardware model 810 may be stored in a storage 
medium 800 such as a computer memory so that the model may be simulated 
using simulation software 820 that applies a particular test suite 830 to the 
hardware model 810 to determine if it indeed functions as intended, in some 
embodiments, the simulation software is not recorded, captured, or contained in 

15 the medium. 

[0079] Ad ditionally, a circuit level model with logic and/or transistor gates 
may be produced at some stages of the design process. This model may be 
similariy simulated, sometimes by dedicated hardware simulators that form the 
model using programmable logic. This type of simulation, taken a degree further. 
20 may be an emulation technique. In any case, re-configurable hardware is another 
embodiment that may involve a machine readable medium storing a model 
employing the disclosed techniques. 

[0080] Furthermore, most designs, at some stage, reach a level of data 
representing the physical placement of various devices in the hardware model. In 
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the case where conventional semiconductor fabrication techniques are used, the 
data representing the hardware model may be the data specifying the presence 
or absence of various features on different mask layers for masks used to 
produce the integrated circuit Again, this data representing the integrated circuit 

5 embodies the techniques disclosed In that the circuitry or togic In the data can be 
simulated or fabricated to perfbrnn these techniques. 
[0081] In any representation of the design, the data may be stored In any 
fbmi of a computer readable medium. An optical or electrical wave 860 
modulated or otherwise generated to transmit such infomiation, a memory 850, or 

10 a magnetic or optical storage 840 such as a disc may be the medium. The set of 
bits describing the design or the particular part of the design are an article that 
may be sold in and of its6lf or used by others for further design or fabrication. 
[OOSq While certain exemplary embodiments have been described and 
shown in the accompanying drawings, it Is to be understood that such 

1 5 embodiments are merely illustrative of and not restrictive on the broad Invention, 
and that this invention not be limited to the specific constructions and 
arrangements shown and described, since various other modifications may occur 
to those ordinarily skilled in the art upon studying this disclosure. 
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What is claimed is: 

1. A method comprising 

transferring an authenticated code module to a private memory; and 
executing the authenticated code module stored In the private memory in 
5 response to detennining that the authenticated code module stored in the private 
memory is authentic. 

2. The method of claim 1 further wherein transferring comprises transferring a 
number of bytes specified by an operand from a memory. 

10 

3. The method of claim 1 further comprising 

configuring a cache memory of the processor to operate like a random 
access memory, 

wherein transferring comprises storing the authenticated code module In 
15 the cache memory. 

4. The method of claim 3 further comprising Invalidating the cache memory prior 
to storing the authenticated code module In the cache memory. 

20 5. The method of claim 3 further comprising locking ttie cache memory to prevent 
lines of authenticated code module from being replaced. 
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4 

6. The method of ciaim 1 further comprising determining whether the 
authenticated code is authentic based upon a digital signature of the 
authenticated code module. 



5 7. The method of daim 1 further cornprising 

obtaining a first value from the authenticated code module stored ih the 

private memory: 

computing a second value from the authenticated code module; and 
determining that the authenticated code module is authentic in response to 
10 the first value and the second value having a predetermined relationship. 

8. The method of claim 1 further comprising 
retrieving a key, 

decrypting a digrtal signature of the authenticated code module vvith the 
1 5 key to obtain a first value, 

hashing the authenticated code module to obtain a second value; and 
executing the authenticated code module in response to the first value and 
the second value having a predetemriined relationship. 

20 9. The method of claim 8 wherein 

decrypting cornprises usjng the key to RSA-decrypt the digital signature, 

and 

hashing comprises apply a SHA-1 hash to the authenticated code module 
to obtain the second value. 
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1 0. The method o1 claim 8 further comprising retrieving the Icey from the 
processor. 

5 1 1 . The method of claim 8 further comprising retrieving the key from a chipset. 

12. The method of claim 8 further comprising retrieving the Icey fomn a tol<en. 

13. The method of claim 1 wherein transfening comprises receiving the 
10 authenticated code module from a machine readable medium. 

14. A computing device, comprising 

a chipset; 

a memory coupled to the chipset; 
15 a machine readable medium interface to receive an authenticated code 

module from a machine readable medium; 

a private memory coupled to the chipset; and 

a processor to transfer the authenticated code module from the machine 
readable medium interface to the private memory and to authenticate the 
20 authenticated code module stored in the private memory. 

15. The computing device of claim 14, wherein the chipset comprises a memory 
controller coupled to the memory and a separate private memory controller 
coupled to the private memory. 

35 



BNSDOCtD: <VVO_030Sa412A2.l. > 



wo 03/058412 



PCTAJS02/41177 



16. The computing device of claim 14, wherein 

the chipset comprises a key, and 

the processor authenticates the authenticated code module stored in the 
5 private memory based upon the key of the chipset 

17. The computing device of claim 14, wherein 

the processor comprises a key and authenticates the authenticated code 
module stored in the private memory based upon the key of the processor. 

10 

18. The computing device of daim 14, further comprising 

a token coupled to the chipset, the token comprising a key, wherein 
the processor authenticates the authenticated code module stored in the 
private memory based upon the key of the token. 

15 

19. A computing device, comprising 

a chipset, 

a machine readable medium interface to receive an authenticated code 
module from a machine readable medium; and 
20 a processor coupled to the chipset via a processor bus, the processor to 

transfer the authenticated code module from the machine readable medium 
Interface to a private memory of the processor and to authenticate the 
authenficated code module stored In the private memory. 

36 



BNSOOCIO; <WO_caoSS4ISAi.l.> 



wo 03/058412 PCT/US02/41177 

20. The computing device of ciaim 19, wherein the private memory Is coupled to 
the processor via a dedicated bus. 

21 . The computing device of claim 19. wherein the private memory is intemai to 
6 the processor. 

22. The computing device of claim 19. wherein the private memory comprises 
intemai cache memory of the processor. 

10 23. The computing device of claim 19, further comprises 

other processors coupled to the chipset via the processor bus, wherein 
the processor further locl<s the processor bus to prevent the other 
processors from altering the authenticated code module. 

15 24. A computing device, comprising 
a memory; 

a chipset comprising a memory control that defines a portion of the 
memory as private memory; 

a machine readable medium to receive an authenticated code module from 
20 a machine readable medium; and 

a processor to transfer the authenticated code module from the machine 
readable medium interface to the private memory and to authenticate the 
authenticated code module stored in the private memory. 
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25. The computing device of claim 24, wherein the chipset comprises a memory 
controller coupled to the memory and a separate private memory controller 
coupled to the private memory. 

5 26. The computing device of claim 24, wherein 
the chipset comprises a key, and 

the processor authenticates the authenticated code module stored in the 
private memory based upon the key of the chipset 

10 27. The computing device ofclaim 24, wherein 

the processor comprises a key and authenticates the authenticated code 
module stored in the private memory based upon the key of die processor 

28. The computing device of claim 24, furtiier comprising 
15 a token comprising a key. wherein 

the processor authenticates the authenticated code module stored in tiie 
private memory based upon ttie key of tiie token. 

29. A machine readable medium comprising one or more instructions that in 
20 response to being executed result in a computing device 

transferring an authenticated code module to a private memory associated 
with a processor, and 
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executing the authenticated code module stored in the private memory in 
response to determir>ing that the authenticated code modute stored in the private 
memory is authentic. 

5 30. The machine readable medium of claim 29, wherein the one or more 
instmctions in response to bemg executed result In the computing device 

detemiining whether the authenticated code is authentic based upon a 
digital signature of the authenticated code module. 

31 . The machine readable medium of claim 29, wherein the one or more 
instructions in response to being executed result in the computing device 

obtaining a first value from the euthenticated code module stored in the 
private memory: 

computing a second value from the authenticated code module; and 
detennining that the authenticated code module Is authentic in response to 
the first value and the second value having a predetemnined relationship. 

32. The machine readable medium of claim 29, wherein the one or more 
instructions in response to being executed result in the computing device 

20 retrieving an asymmetric key, 

decrypting a digital signature of the authenticated code module with the 
asymmetric key to obtain a first value; 

hashing the authenticated code module to obtain a second value; and 
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initiating execution of the authenticated code module in response to the 
first value and the second value having a predetemiined relationship. 

33. The machine readable medium of claim 29, wherein the one or more 

5 instmctions comprises a launch instruction that In response to l)eing executed 
results in the computing device 

retrieving an asymmetric key; 

decrypting a digital signature of the authenticated code module with the 
asymmetric key to obtain a first value; 
10 hashing the authenticated code module to obtain a second value; and 

initiating execution of the authenticated code module in response to the 
first value and the second value having a predetemnined relationship. 

34. The machine readable medium of claim 33, wherein the one or more 
1 5 Instructions in response to being executed resutt In the computing device 

receiving tiie authenticated code module via a machine readable medium 
interface. 
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